Home

Awesome

BThack - PoC of the Method Confusion Attack on Bluetooth Pairing

Original paper: Method Confusion Attack on Bluetooth Pairing

Affected devices + Threat status

CVE: CERT report Bluetooth SIG: SIG security alert Apple: iOS / IPadOS Google: ...

Every pairing between any BLE devices using Numeric Comparison or Passkey Entry is vulnerable to the Method Confusion attack.

Fix

Currently there is no fix available that would not massively affect backwards compatibility to older Bluetooth devices.

Device vendors can only try to educate their users about the threat and visualize the utilized pairing method prominently (providing aware and versed users the possibility to detect an ongoing attack).

This is of course just a mild mitigation and entirely defeats the idea of a simple and secure TOFU establishment.

Bluetooths security model has to be considered broken until a solution is found. We are following the decisions of the Bluetooth SIG closely.

PoC - BThack

This PoC is intended to make reproduction of the issue as easy as possible. If you encounter any difficulties or find a description to imprecise please reach out so we can improve.

Structure of the BThack framework

Usage

  1. ==Please check this repo out using 'git clone --recurse-submodules'==
  2. Run the Makefiles in the subdirectories of the desired attack variants (pon, nop, full_mitm) + run the discovery/Makefile
  3. Connect 2 USB Bluetooth controller that are compatible with BTstack (list) - they should appear under lsusb (Ensure that the Responder advertises using BLE not BR/EDR)

You have two different complexities of the attack available:

A. Attack without suppressing the original victims advertisements:
  1. Enter the folder of the desired attack variant
  2. Call the respective binary (nop, pon, full_mitm); provide the target address and the lsusb-identifiers of your dongles
B. Attack with suppressing the original victims advertisements:
  1. Add at least 3 micro:bit devices if you want to suppress victim advertisments
  2. Start the attack.py script
  3. Select your devices and the attack mode ('auto' selects the optimal method dynamically)

Simulate victim devices

To simulate BLE victims you may use the programs initiator and responder in the folder full_mitm

Suppressing victim advertisements

In order to lead a realistic victim-Initiator into attempting the pairing with our MitM-Responder the framework offers the option to selectively jam the advertisement messages of the victim-Responder. In this case at least 3 BBC:microbits are required as they contain the nrf5x chip that is utelized for jamming. For this option you are also required to flash the microbits with our customized version of the btlejack-firmware (See Readme in the respective subfolder)

Troubleshooting

Unfortunately it happens regularly that devices get stuck in the execution of their modified firmware. We are trying to slowly narrow down these issues and fix them. For now, we recommend to stop the software; powercycle the devices; and restart the software.